grafana/pkg/services/authz/config.go

66 lines
1.6 KiB
Go
Raw Normal View History

package authz
import (
"fmt"
"github.com/grafana/grafana/pkg/setting"
)
type Mode string
func (s Mode) IsValid() bool {
switch s {
case ModeGRPC, ModeInProc:
return true
}
return false
}
const (
ModeGRPC Mode = "grpc"
ModeInProc Mode = "inproc"
)
type Cfg struct {
remoteAddress string
listen bool
mode Mode
token string
tokenExchangeURL string
tokenNamespace string
allowInsecure bool
}
func ReadCfg(cfg *setting.Cfg) (*Cfg, error) {
authzSection := cfg.SectionWithEnvOverrides("authorization")
grpcClientAuthSection := cfg.SectionWithEnvOverrides("grpc_client_authentication")
mode := Mode(authzSection.Key("mode").MustString(string(ModeInProc)))
if !mode.IsValid() {
return nil, fmt.Errorf("authorization: invalid mode %q", mode)
}
token := grpcClientAuthSection.Key("token").MustString("")
tokenExchangeURL := grpcClientAuthSection.Key("token_exchange_url").MustString("")
tokenNamespace := grpcClientAuthSection.Key("token_namespace").MustString("stacks-" + cfg.StackID)
// When running in cloud mode, the token and tokenExchangeURL are required.
if mode == ModeGRPC && cfg.StackID != "" {
if token == "" || tokenExchangeURL == "" {
return nil, fmt.Errorf("authorization: missing token or tokenExchangeUrl")
}
}
return &Cfg{
remoteAddress: authzSection.Key("remote_address").MustString(""),
listen: authzSection.Key("listen").MustBool(false),
mode: mode,
token: token,
tokenExchangeURL: tokenExchangeURL,
tokenNamespace: tokenNamespace,
allowInsecure: cfg.Env == setting.Dev,
}, nil
}